DNSCrypt does not make sense – a rant

Over at the OpenDNS Blog, there is an announcement of a new service called “DNSCrypt”. It is being advertised as a security enhancement. But that makes no sense at all. Perhaps it works for income enhancement at OpenDNS, but it is not clear that it could enhance security.

There is already a standard for enhancing DNS security, namely DNSSEC. Unfortunately, OpenDNS has been opposed to DNSSEC. And now they are pushing the faux security of their DNSCrypt as an alternative.

Let’s first look briefly at DNSSEC. It uses digital signature as a way of validating the data. By checking those digital signatures, you can be sure that the results of your DNS lookup are correct. I can understand why OpenDNS does not like DNSSEC, for the OpenDNS business model is to make money by feeding you bogus DNS lookup results.

Here’s part of what OpenDNS is saying about the benefits of DNSCrypt:

It happens all the time on insecure networks at coffee shops, and even residences. Some ISPs have even been accused of spying on their customers’ activity. What’s worse, the “last mile” is ripe for man-in-the-middle attacks, where an intermediary injects themselves into your traffic path masquerading as your intended destination, but all the while, being able to see and modify your traffic. This leaves little confidence for the Internet user.

That’s laughable. OpenDNS is itself a “man in the middle”. It sits between you and public DNS services, and gets to spy on all of your DNS traffic. Moreover, it makes money from the results of that spying.

Your man-in-the-middle comment could be made about nearly any DNS provider and/or your Internet service provider. You can either choose to trust someone else somewhere or disconnect altogether and wear a tin foil hat. 😉

You are so wrong. You would probably understand DNSCrypt if you were living in a country using censorship.
Also, you say that OpenDNS is a Man in the Middle. That is also stupid because any DNS Host is a man in the middle : The solution in your eyes is to host your own DNS server?
DNSCrypt is surelly not the best but prevents attack like MIM. Which is the main attacks at government levels.
Cheers